From nobody Sun Feb 8 09:53:01 2026 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7FE60281508 for ; Tue, 2 Dec 2025 16:16:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764692217; cv=none; b=giYpLeBlfu9+lSCFzaYmNvsRFIsdDocH5srtlrwQYixQDbz6lfQwfaVxNBB1g0GX8Py8UHtuTNWFukyMRI3heFzocf+ytAKTMbykk8MS5IdA73jCcJSM8SfwEgx44Nxx20wCX4k/SGy+LVoEaMb8QCLa2TXrpaDNAWLD5S3FGcY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1764692217; c=relaxed/simple; bh=RRK3ehoBMhGgz18L+CrQolzA9ylOrAARcrt2z6DMPKI=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=KW772SOhrwKufoICUcFKG36k4KICNRqPztfy3a1A575zs7IUTOSffhMuaRt30vgtCzr6LfOn4u1SW/RxwI2AQq45vo7VC+/srwYeDdDbe0hEasa5ZZSpZplrEcp6p6SpYdhqSF1Sh3Say3lTiQhXko+uUJO7YJTQfq/SRPnEAI8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=j1G1rjRg; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="j1G1rjRg" Received: by smtp.kernel.org (Postfix) with ESMTPSA id C8E76C4CEF1; Tue, 2 Dec 2025 16:16:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1764692217; bh=RRK3ehoBMhGgz18L+CrQolzA9ylOrAARcrt2z6DMPKI=; h=From:To:Cc:Subject:Date:From; b=j1G1rjRgvrdj6J9570Q9vu5c/hD3A14XJGJARvCXKfTLnXoGCE76HEFX7OQeuluuh hXyCQyrTFFGQcc9CVVsj8EUPz9R5Idy5O2MkXvWnFNk3VaCDCgbIztZp2IP+SGNGJV w7KlPIvw/HlUFr00pJPrRkvUspBX0lcaRv2J1QUAYQdp6QPwSHMvTiMlKhqwzmCqlv YchjKEeFTcGS5pfS5pQFVjoLPv5s71cAvgIgHhMKi6bTiydcUpstCTB3Qe4/X8gu9r 9cocEBMYr9web0oMJmOZrajJyalvYdLuyn+uTbjndxitrnphyb9sDjAKNcgEzKkI6/ +jPnF5ir+tPdw== From: Josh Poimboeuf To: x86@kernel.org Cc: linux-kernel@vger.kernel.org, Nathan Chancellor , Peter Zijlstra , Alexandre Chartre , Ingo Molnar , David Laight Subject: [PATCH] objtool: Fix stack overflow in validate_branch() Date: Tue, 2 Dec 2025 08:16:28 -0800 Message-ID: <21bb161c23ca0d8c942a960505c0d327ca2dc7dc.1764691895.git.jpoimboe@kernel.org> X-Mailer: git-send-email 2.51.1 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" On an allmodconfig kernel compiled with Clang, objtool is segfaulting in drivers/scsi/qla2xxx/qla2xxx.o due to a stack overflow in validate_branch(). Due in part to KASAN being enabled, the qla2xxx code has a large number of conditional jumps, causing objtool to go quite deep in its recursion. By far the biggest offender of stack usage is the recently added 'prev_state' stack variable in validate_insn(), coming in at 328 bytes. Move that variable (and its tracing usage) to handle_insn_ops() and make handle_insn_ops() noinline to keep its stack frame outside the recursive call chain. Fixes: fcb268b47a2f ("objtool: Trace instruction state changes during funct= ion validation") Reported-by: Nathan Chancellor Closes: https://lore.kernel.org/20251201202329.GA3225984@ax162 Signed-off-by: Josh Poimboeuf Reported-by: Ingo Molnar Suggested-by: Ingo Molnar --- tools/objtool/check.c | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/tools/objtool/check.c b/tools/objtool/check.c index 9ec0e07cce90..4e7b44f13b8c 100644 --- a/tools/objtool/check.c +++ b/tools/objtool/check.c @@ -3282,18 +3282,19 @@ static int propagate_alt_cfi(struct objtool_file *f= ile, struct instruction *insn return 0; } =20 -static int handle_insn_ops(struct instruction *insn, - struct instruction *next_insn, - struct insn_state *state) +static int noinline handle_insn_ops(struct instruction *insn, + struct instruction *next_insn, + struct insn_state *state) { + struct insn_state prev_state __maybe_unused =3D *state; struct stack_op *op; - int ret; + int ret =3D 0; =20 for (op =3D insn->stack_ops; op; op =3D op->next) { =20 ret =3D update_cfi_state(insn, next_insn, &state->cfi, op); if (ret) - return ret; + goto done; =20 if (!opts.uaccess || !insn->alt_group) continue; @@ -3303,7 +3304,8 @@ static int handle_insn_ops(struct instruction *insn, state->uaccess_stack =3D 1; } else if (state->uaccess_stack >> 31) { WARN_INSN(insn, "PUSHF stack exhausted"); - return 1; + ret =3D 1; + goto done; } state->uaccess_stack <<=3D 1; state->uaccess_stack |=3D state->uaccess; @@ -3319,6 +3321,8 @@ static int handle_insn_ops(struct instruction *insn, } } =20 +done: + TRACE_INSN_STATE(insn, &prev_state, state); return 0; } =20 @@ -3694,8 +3698,6 @@ static int validate_insn(struct objtool_file *file, s= truct symbol *func, struct instruction *prev_insn, struct instruction *next_insn, bool *dead_end) { - /* prev_state and alt_name are not used if there is no disassembly suppor= t */ - struct insn_state prev_state __maybe_unused; char *alt_name __maybe_unused =3D NULL; struct alternative *alt; u8 visited; @@ -3798,11 +3800,7 @@ static int validate_insn(struct objtool_file *file, = struct symbol *func, if (skip_alt_group(insn)) return 0; =20 - prev_state =3D *statep; - ret =3D handle_insn_ops(insn, next_insn, statep); - TRACE_INSN_STATE(insn, &prev_state, statep); - - if (ret) + if (handle_insn_ops(insn, next_insn, statep)) return 1; =20 switch (insn->type) { --=20 2.51.1